JURI and SSL. Is this a bug? broken media uploaders

[jptkts]

I was having problems using SSL in the admin and the problem looks to be caused by the JURI functions, in particular JURI::base()

If I force SSL on either the entire site or administrator the JURI::base() always returns a non https secure URL (it returns http regardless of settings). I assume it is getting the base directly from the configuration file.

I noticed the issue first in the core joomla media manager. When it creates the form action for the upload form it does not use jroute, it just uses JURI:

Code: Select all

<form action="<?php echo JURI::base(); ?>index.php?option=com_media&task=file.upload&tmpl=component&<?php echo $this->session->getName().'='.$this->session->getId(); ?>&<?php echo JUtility::getToken();?>=1" id="uploadForm" method="post" enctype="multipart/form-data">

And since JURI is always returning an http link (not https) the upload fails, so this seems to me that anyone forcing SSL will encounter these same issues in various components. My Joomla is up to date.

Has anyone else encountered this issue?? Any idea what I could do to fix this before the issue is addressed hopefully in a future version? Maybe if I do a check in the config file to see if its https and from there modify the base joomla path.

Thanks!

[jptkts]

Well I think I found a temporary fix, and by doing so it fixes the upload functionality in the core media manager, phoca gallery, and JCE! The only problem is that it is a core hack. The reason I couldn't add an if statement in the configuration.php file is that it would force all pages to be ssl including those in the front end. I only want the back end administrator pages to be SSL.

In the file: Joomlaroot/libraries/joomla/environment/uri.php
starting on line 214 replace this if statement:

Code: Select all

if(JPATH_BASE == JPATH_ADMINISTRATOR) {
	$base['path'] .= '/administrator';
}

with the following:

Code: Select all

if(JPATH_BASE == JPATH_ADMINISTRATOR) {
	$force_ssl = $config->getValue('config.force_ssl');
	if($force_ssl > 0){
		$base['prefix'] = ereg_replace("http://","https://",$base['prefix']);
	}
	$base['path'] .= '/administrator';
}

that if statement is useful in determining if its a request for an administrator URL (and hence the reason I couldn't do it in the main configuration file). I replace the http in the 'prefix' with https (since I already know I want all administrator requests to be handled with https regardless) Fixes the problem!!

However this is not a very elegant fix since when I upgrade I will probably have to add that back in unless this is truly a bug (it seems like one to me) and they fix it.

I filed an item in the tracker here
http://joomlacode.org/gf/project/joomla ... m_id=15458

JP

[jptkts]

I changed the above code so it replaces https:// instead of just http and it works! It also checks to see if you have ssl set to enabled in the config (so if you disable ssl in configuration file it won't replace the url with https and break your site).

I thought it didn't work right because i had to make another hack to JCE a couple weeks to get it to work right due to the JURI problem! but i took that hack out and it was fine. The good thing about the above hack is its a global thing, whereas before I was patching each component at a time due to the JURI problem and SSL. LOL!

[LeClerc]

jptkts,

Just wanted to post and say that this works for me!

I'd been suffering from this "admin loop" thing for a couple of days and finally got it down to the SSL issue. Which you've now cured for me.

Huge thanks, kudos and all of the rest of those good things to you - you are a star!

[rick_v_h]

So which need to be ssl and which need to be SSL ?

friendly greets,

[navidz]

I have this problem
When Joomla team will solve this Bug?

Example: http://sabt.kr.ir/

[yasdad]

Just wanted to say thanks to the OP for this solution.

I had exactly this issue: without forcing SSL, the admin area was accessible without any problem, but for obvious security reasons, I switched this flag on and immediately it broke the admin login. Switching it off solved it but at the expense of security - a very high price to pay. After many weeks on and off searching, finally I arrive at this page

From the looks of it, I'd say this is a definite bug-fix rather than a hack - I hope this is implemented for the next version.

[PhilD]

@jptkts

Do you mind if I move your post to the administration forum? SSL issues were decided to be administrator issues not security issues.

[jptkts]

Phil, That is OK with me.

[imaginebeing]

this worked like a charm

[djackso1]

I highly recommend anyone having issues with SSL Certificate, https, or force ssl administrator configuration for the administrator side of the site read this topic.

Thank you so much for this fix! It worked perfectly for me. Ever since forcing SSL on the administrator I was having issues with multiple components/functions, including JCE, media manager uploads and DJ image slider. I had narrowed down the issue to the $live_site variable in the config file, but had no idea how or where to override this just for the administrator side of my side. I've been looking for a fix for over two days, thank you for sharing this very helpful fix. Hopefully there will be a fix to this issue for future versions of Joomla. For the record I applied this fix to Joomla 1.5.22.

[dvfd7]

I found this article by chance.....

could my issue (http://forum.joomla.org/viewtopic.php?f=428&t=608599) be the same sort of issue described here???? You say Joomla reverts to http regardless of settings.

I am trying to just get one component to go into HTTPS, the rest of the site I could care less about but it is user facing front end. How could we modify that if statement for the one component I want to be HTTPS?

[splitz]

I tried the patch above but I couldn't get it to work.

After editing the uri file and leaving force ssl as none I got a 404 error page when trying to log in. So I changed force ssl to administrator but still got a 404 error page.

I tried from various browsers in case it was a cache issue.

I'm using Joomla 1.7 does that matter?

[moustafasamir]

I tried the patch above but I couldn't get it to work.

After editing the uri file and leaving force ssl as none I got a 404 error page when trying to log in. So I changed force ssl to administrator but still got a 404 error page.

I tried from various browsers in case it was a cache issue.

I'm using Joomla 1.7 does that matter?

I think you must have set the server to use SSL first before using force_ssl in joomla.

[imNotScott]

I used this fix to force SSL on some pages of my component and it worked fine in Joomla 1.5. I'm now in the process of getting the component to function in Joomla 2.5 and I get the following error when I hit the page I'm using this fix for:

Fatal error: Cannot access protected property JURI::$_uri in C:\xampp\htdocs\rhino_j25\components\com_rrmanager\controllers\payment.php on line 43

Does anyone have a suggested fix to this fix?